[Samba] NT_STATUS_INTERNAL_ERROR

Ing. Luis Felipe Domínguez Vega luis.dominguez at mtz.desoft.cu
Thu Aug 10 19:43:10 UTC 2017


Hello, a short history, I am using samba 4 with Debian 9 from the repository, 2 days ago the server was broken, but I was copy all the /var/lib/samba directory to a safe place, then I was installed a new server with the same Debian and samba from repository, and stopped smbd, nmbd and winbind, unmask samba-ad-dc and finally copied all the directory from the old server to the new server and started the samba, all works fine, the bind is integrated with samba_dlz, etc. But now when i go to join a Windows 7 PC to the domain show an error with "Internal Error". Inside the AD server i put this command

kinit administrator
smbclient -k -L dc.mtz.desoft.cu -m smb2 -d5

and the output is

INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
  tevent: 5
Processing section "[global]"
doing parameter netbios name = DC
doing parameter realm = MTZ.DESOFT.CU
doing parameter server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
doing parameter workgroup = MTZ
doing parameter server role = active directory domain controller
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter client ldap sasl wrapping = sign
doing parameter ldap server require strong auth = No
doing parameter full_audit:prefix = %u|%I|%S
doing parameter full_audit:failure = connect
doing parameter full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
doing parameter full_audit:facility = local5
doing parameter full_audit:priority = notice
doing parameter tls enabled = yes
doing parameter tls certfile = /var/lib/samba/private/tls/dc-cert.pem
doing parameter tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem
doing parameter tls cafile = /var/lib/samba/private/tls/cacert.pem
doing parameter tls crlfile = /var/lib/samba/private/tls/mtz.desoft.cu.crl
doing parameter tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem
doing parameter ntlm auth = yes
doing parameter winbind max clients = 10000
doing parameter min protocol = SMB2
pm_process() returned Yes
added interface eth1 ip=fd2d:bba0:d4f9:4fb9:98fe:2ff:fe6b:adcb bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth1 ip=10.11.0.1 bcast=10.11.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.1 bcast=192.168.0.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="DC"
Client started (version 4.5.8-Debian).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for realm 'MTZ.DESOFT.CU'
name dc.mtz.desoft.cu#20 found.
Connecting to 192.168.0.1 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061808
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/dc.mtz.desoft.cu at MTZ.DESOFT.CU
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR

---------------------------------------------------------------------
smb.conf
----------------------------------------------------------------------
# Global parameters
[global]
        netbios name = DC
        realm = MTZ.DESOFT.CU
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MTZ
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        client ldap sasl wrapping = sign
        ldap server require strong auth = No
#       map to guest = bad user

        # Audit settings
        full_audit:prefix = %u|%I|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
        full_audit:facility = local5
        full_audit:priority = notice

        tls enabled       = yes
        tls certfile      = /var/lib/samba/private/tls/dc-cert.pem
        tls keyfile       = /var/lib/samba/private/tls/secure/dc-privkey.pem
        tls cafile        = /var/lib/samba/private/tls/cacert.pem
        tls crlfile       = /var/lib/samba/private/tls/mtz.desoft.cu.crl
        tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem

        ntlm auth = yes
#       lanman auth = yes
#       lanman auth = yes
        winbind max clients = 10000
        min protocol = SMB2

[netlogon]
        path = /var/lib/samba/sysvol/mtz.desoft.cu/scripts
        read only = No
        vfs objects = full_audit

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
        vfs objects = full_audit


-- 
Luis Felipe Dominguez Vega 
System Administration in Desoft Matanzas | Mob: [ tel:+5353694785 | +5353694785 ] | [ http://www.desoft.cu/ | www.desoft.cu ] 
[ https://www.facebook.com/lfdominguez0104 |    ] [ https://www.linkedin.com/in/luis-felipe-dom%C3%ADnguez-vega-47725794/ |    ] [ https://twitter.com/LuisFelipeDV1 |    ]



More information about the samba mailing list